Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Knowledge Partner
Knowledge Partner
420 views

Mapping one field(IP Address) to another field(IP Address) with map file

Hi,

I'm trying to map deviceAddress field to destinationAddress for Windows System logs because destinationAddress field is empty for System logs. I use Windows Native connector (v7.7)
Here is my map.0.properties file:

event.deviceEventCategory,set.expr(deviceAddress).event.destinationAddress
System,deviceAddress

The above mapping doesn't work. However, following mapping works and both destinationAddress and destinationHostName gets populated:

event.deviceEventCategory,set.expr(deviceHostName).event.destinationHostName
System,deviceHostName

The only difference is data type in the fields. Do you have any idea why the map file didn't work with IP Adrress data types?

Thanks!

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
6 Replies
alexandros_n Honored Contributor.
Honored Contributor.

Re: Mapping one field(IP Address) to another field(IP Address) with map file

I think it may be a problem of what kind of data has the event (host name or IP) as if one is missing a DNS resolution needs to take place.

I had something similar and I end up to use additionalregexparsing

0 Likes
Knowledge Partner
Knowledge Partner

Re: Mapping one field(IP Address) to another field(IP Address) with map file

When I try to map IP, it fails. Hostname works and the connector performs IP resolving to add IP to address field I think.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Highlighted
AarushJ Super Contributor.
Super Contributor.

Re: Mapping one field(IP Address) to another field(IP Address) with map file

Hey hi,

Good Day!

Did you tried this : 
map.0.properties file in the $ARCSIGHT_HOME\current\user\agent\map\ directory with the following entries:
event.deviceExternalId,set.event.deviceAddress,set.event.deviceHostName
1, 1.1.1.1, HOSTNAME01
2, 1.1.1.2,HOSTNAME02
For external Id you need to check in logs befor impleamenting.
Hope this will work, if it does please mark it as a accepted solution.

AJ
0 Likes
Knowledge Partner
Knowledge Partner

Re: Mapping one field(IP Address) to another field(IP Address) with map file

It's a static assignment. what I'm trying to do is dynamic assignment.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
s1ang Super Contributor.
Super Contributor.

Re: Mapping one field(IP Address) to another field(IP Address) with map file

Hello!

Try it:

event.deviceEventCategory,set.expr(deviceAddress).event.destinationAddress
System,"__oneOfAddress(deviceAddress)"

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: Mapping one field(IP Address) to another field(IP Address) with map file

It didn't work as well.

I have another question; How does the winc connector get deviceAddress information? there is only computer information in the windows eventlog. if winc connector gets deviceAddress by performing dns lookup, it may be the reason why I couldn't map that information.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.